This comment has been minimized.

edited

Interestingly, a very similar issue has cropped up in our environment just yesterday (for OID 1 3 6 1 4 1 311 17 2). Not sure if there was a Microsoft update or what that recently caused us to start seeing this issue, but we've also had a really hard time tracking down documentation on this particular OID. In our case, the attribute.Value.Bytes is a bunch of \0 bytes, so we've created a mirror as a temporary workaround that ignores empty (after bytes.Trim) OIDs.

It's really hard to figure out what to do with the bytes in our case if they ever are not empty (though honestly in my case, we don't care, we just want the cert, but in the general case that may not be true depending on what they mean).

The best I've been able to come up with as an action plan is to dive into OpenSSL and see how they're handling it, but I'm pretty unfamiliar with both the language and codebase.